So, after writing my previous post, I figured I'd talk a bit about how folks can use sessions and the cookie-based cflogin together.

Out of the box the first issue you run into is that sessions have a default timeout of twenty minutes, while cflogin has a timeout of thirty minutes. You could modify the timeout for either the session or cflogin scope.

What I typically do is a bit simpler. I check to see if a particular session variable exists, one that I set when I log a user on. If the variable does not exist, I call cflogout to ensure the cflogin scope is cleared.

<cfif not isDefined("session.user")>
<cflogout>
</cfif>

Another version of this code handles both the session timing out and allowing for a forced logout.

<cfif not isDefined("session.user") or isDefined("url.logout")>
<cfset structDelete(session,"user")>
<cflogout>
</cfif>

This will clear both scopes if either the session ends or if the user choses to logout.